From e0c9239c5b80a0380da1d520693697bcced5e3a8 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Thu, 25 Oct 2018 02:53:26 +0200
Subject: peer: another peer_remove cleanup

---
 src/noise.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

(limited to 'src/noise.c')

diff --git a/src/noise.c b/src/noise.c
index 098c060..4160fc0 100644
--- a/src/noise.c
+++ b/src/noise.c
@@ -159,18 +159,26 @@ void wg_noise_keypairs_clear(struct noise_keypairs *keypairs)
 	struct noise_keypair *old;
 
 	spin_lock_bh(&keypairs->keypair_update_lock);
-	old = rcu_dereference_protected(keypairs->previous_keypair,
-		lockdep_is_held(&keypairs->keypair_update_lock));
-	RCU_INIT_POINTER(keypairs->previous_keypair, NULL);
-	wg_noise_keypair_put(old, true);
+
+	/* We zero the next_keypair before zeroing the others, so that
+	 * wg_noise_received_with_keypair returns early before subsequent ones
+	 * are zeroed.
+	 */
 	old = rcu_dereference_protected(keypairs->next_keypair,
 		lockdep_is_held(&keypairs->keypair_update_lock));
 	RCU_INIT_POINTER(keypairs->next_keypair, NULL);
 	wg_noise_keypair_put(old, true);
+
+	old = rcu_dereference_protected(keypairs->previous_keypair,
+		lockdep_is_held(&keypairs->keypair_update_lock));
+	RCU_INIT_POINTER(keypairs->previous_keypair, NULL);
+	wg_noise_keypair_put(old, true);
+
 	old = rcu_dereference_protected(keypairs->current_keypair,
 		lockdep_is_held(&keypairs->keypair_update_lock));
 	RCU_INIT_POINTER(keypairs->current_keypair, NULL);
 	wg_noise_keypair_put(old, true);
+
 	spin_unlock_bh(&keypairs->keypair_update_lock);
 }
 
-- 
cgit v1.2.3-59-g8ed1b